unrevoked forever is a tool to set your Android phone's security level to S-OFF. The security level is a flag stored on the radio; when the flag is S-OFF, the bootloader (HBOOT) will no longer check the signatures of firmware images before flashing them. This allows custom firmware images to be uploaded, including unsigned boot, recovery, splash1, and hboot images (as well as official images that have been modified). When the system is S-OFF, the NAND flash memory protection is also reduced; this allows all partitions (including /system) to be written to while the operating system is booted.

The most substantial benefit of unrevoked forever is that the change is stored in the radio's NV memory; no ENG bootloader is necessary to continue to flash firmware images. Even if an “unrootable” OTA update is accepted, a device on which unrevoked forever has been run will still be able to reflash a custom recovery image.

We know you just want to install unrevoked forever. However, before you do, please read this section in its entirety. It contains important information to avoid bricking your phone.

We believe unrevoked forever to be safe for your phone. However, forever unlocks a few capabilities that make it substantially easier to cause (in some cases, permanent) damage. Here are a list of things to be aware of:

As with all hacks to your phone's firmware, setting your phone S-OFF will void the warranty on your phone. Do not take your phone in for support until you have set your phone S-ON and removed all custom modifications. Damaging your phone by flashing a custom bootloader, or other unusual combinations of firmware, is not covered under warranty; although your carrier may not check to see if your phone was modified, please be honest.

unrevoked forever allows you, among other things, to reflash the hboot partition on your phone. Doing so carries risk; a bad hboot flash can render the phone permanently unusable. Be cautious about where you accept updates from.

When doing updates, be sure to flash all partitions at the same time. For instance, on Incredible, running a 0.92 hboot and a 2.15 radio with a 2.6.29 Linux kernel will result in the system becoming unusable until reflashed.

unrevoked forever comes with NO WARRANTY (express or implied), and NO GUARANTEE OF FITNESS for any particular task. Although we have attempted to minimize the risk the best we can, the authors disclaim any chance of damage to your phone. The entire risk of running unrevoked forever lies with you, the user.

HTC CDMA Hero, running radio baseband versions (S-OFF only at this time, S-ON coming soon):

1.04.01.09.21

2.41.04.02.02

2.42.01.04.23

2.42.01.04.27

HTC CDMA Desire, running radio baseband versions (S-OFF only at this time, S-ON coming soon):

2.05.10.06.29

2.05.10.08.11

You can determine your radio baseband version by holding the VOLUME DOWN key while powering on the phone.

We believe the mechanism behind unrevoked forever may work for other radios and devices, and will add support as radio images are made available to us.

Note that these radio basebands are only need to apply the update. Once the update is applied, you may freely switch to any radio, including one that is not listed. The unrevoked forever update works at the sub-radio level.

The update can be installed like any custom .zip file. Simply flash it from your custom recovery. Both Amon_RA and Clockworkmod Recoveries support custom .zip installs from the sdcard.

Either select the option to install a .zip from your SD card, or apply it as an update.zip as follows:

Place the update.zip file into the root of your SD card. You can do this with adb with the command: adb push unrevoked-forever.zip /sdcard/update.zip

Reboot your phone into recovery mode. You can do this by removing your phone's battery, holding down the VOLUME DOWN button, and inserting the battery; at the menu, press VOLUME DOWN to highlight recovery, then press POWER to select it.

What is the difference between an ENG bootloader and unrevoked forever? Are there any disadvantages?
This is a permanent patch; unrevoked forever works below the radio level. Thus, even if an update removes the ENG bootloader, a device that has run forever will remain S-OFF. It is possible for HTC to produce an update to remove this, but a carrier that distributes such an update would also break legitimate test phones, reverting them back to “release” phones.

For Droid Incredible users, this is the only way to obtain S-OFF access. However, the EVO 4G's ENG bootloader allows certain extended fastboot commands to be used. Currently, unrevoked forever does not enable these extended commands; however, the ENG bootloader can be used in conjunction with unrevoked forever to have permanent S-OFF access as well as access to the extended commands. For HTC Incredible users, our intent is to eventually bring our own ENG patched HBOOT to the Incredible.

How can this be removed or undone if I need to take my phone in for service?
Download the latest ''S-ON'' tool to a temporary location and follow the installation instructions above to run it. Once your phone is S-ON, you may lose root permanently if you install an official update

If I've run an earlier version of unrevoked forever, do I need to run a later version when it comes out?
No. The later versions contain updates for compatibility and stability, but contain the same S-OFF patch as earlier versions.

How can I use S-OFF to recover from an unrooted update?S-OFF gives your device permanent NAND unlock in the booted system, and also disables HBOOT's signature checking on firmware zip files. So, even if you take a OTA that has not been rooted, you can simply flash a new recovery that allows you to install su, and use that to restore yourself to a fully rooted system. We have provided ClockworkMod and Amon-Ra recovery images for you to use for this purpose.

How do I create a unsigned zip to flash in HBOOT?
Download one of the example zip files (either the recovery or the splash zip files) appropriate for your platform, and extract the android-info.txt file from it. Zip the file that you wish to flash (usually named something like BOOT.IMG, SPLASH1.NB0, RECOVERY.IMG, …) up along with an appropriate android-info.txt into a file named either PB31IMG.ZIP (for Incredible) or PC36IMG.ZIP (for Evo), and place this file on the root of your SD card. Power the phone up while holding the VOLUME DOWN button, choose HBOOT, and press VOLUME UP when prompted to flash the image. Be careful – in this state, the phone will not prevent you from doing dumb things like flashing an invalid HBOOT!

When I try to get into Fastboot by pressing VOLUME UP and booting the phone, my phone instead buzzes three times and acts dead. What happened?
The S-OFF update also enables Qualcomm Diagnostics mode on your phone, which is entered by doing what you just did. You can exit this mode (and boot normally) by removing the battery and USB cable.

Will you release the source code?
At this time, we are not disclosing the vulnerability we have exploited to set the phone S-OFF.

That doesn't seem fair! Android is about open source.
In some senses, we agree; but at times, a tradeoff needs to be made. Releasing the source code for this, we believe, would compromise the greater ability to unlock devices like these in the future. Given the choice between sacrificing the liberty of running code on our handsets and the liberty of reading the code by which we unlock it, we feel that the millions of handsets are more important. It is unfortunate that we must make such a choice, and we look forward to the day in the future that no such decision need be made.

I found this software useful, and I would like to donate to the team!
Thank you for your support. At this time, the unrevoked team does not accept donations; but we highly encourage our users to donate to the Electronic Frontier Foundation. The EFF performs the important role of standing up for our digital liberties, including the liberties to reverse-engineer devices that we own. If you are able, please consider making a contribution to them so that they can continue to perform this valuable service.